Fraudulent Unemployment Claims Are Tied to Previous Data Breaches
People across the country are shocked when they open their mail and find a notification of an unemployment claim they never filed. This now daily occurrence is leaving individuals and their employers concerned about how this personal information was obtained and what they should do next. In this blog, we’ll explain how these fraudulent unemployment claims are being filed and what you can do to protect yourself.
Back in July, the FBI warned that there was a spike in fraudulent unemployment claims that was spreading throughout the country and impacting every state. To date, Illinois has had more than 212,000 fraudulent unemployment claims since March 1, 2020, and Massachusetts has determined that over 171,000 of its unemployment claims are fraudulent. At one point, Washington state froze unemployment payments for two days after finding $1.6 million in fraudulent claims. If you don’t know someone who has been impacted yet, chances are you will soon.
Why are Fraudulent Unemployment Claims Rising?
Criminals are taking advantage of today’s high unemployment rate and hoping to slip fraudulent unemployment claims past overwhelmed state workers. With the high number of claims, it is also likely that fraud investigations will take longer, and criminals can cash in on profits in the interim. This year has been particularly difficult since the federal Pandemic Unemployment Assistance program for the self-employed bypassed some of the standard safeguards such as verification using previous employers.
Many people find fraudulent unemployment claims particularly upsetting since it requires a Social Security Number (SSN). If you are under the impression that your SSN is secure information, sadly, it is not. After the myriad high-profile data breaches, especially the 2017 Equifax breach, there are millions of SSNs available for sale on the dark web for as little as $4.
While states are trying to tighten identity verification standards, it is a struggle to balance adopting enhanced security measures without causing significant verification delays that impact legitimate claims from workers who have lost their jobs and need funds quickly.
How Do You Know if a Fraudulent Unemployment Claim is Filed in Your Name?
The first sign that someone has become a victim of unemployment fraud is often a mailed notice that they have submitted a claim. However, some people don’t discover they have been a victim of a fraudulent unemployment claim until they file a legitimate claim and find their benefits have been exhausted, or they receive a 1099-G at the end of the year. A number of criminal groups are using money mules (people who are frequently tricked into sharing their bank account information) to unknowingly receive the money which is then quickly transferred to an overseas account. If everything is done digitally, it’s possible for victims to be completely unaware that a claim has been filed.
What Should You Do if a Fraudulent Unemployment Claim is Filed in Your Name?
Be vigilant and act quickly. Watch for any type of notification for your state’s unemployment agency and follow-up immediately. If you suspect unemployment fraud, you should:
- Contact your state unemployment office and let them know that a fraudulent unemployment claim has been filed in your name. You can Google the information or use the US Dept. of Labor’s unemployment fraud reporting page that has links for each state. Many of the states are receiving so many of these claims that they have simplified the reporting process. For example, in the image below, you can see that Massachusetts has a page dedicated to explaining the situation, and an online form and telephone number to report the fraud. In the sample below, you can see the fraud report form for individuals, as well as an email address for employers to report fraudulent unemployment claims.
As users complete the online fraud reporting form, they are also asked to list any data breaches in which their information was disclosed to help quantify the data source. Try to provide this information when possible as it helps incident response investigators.
- Contact your employer and let them know a fraudulent claim was filed in your name. Follow-up with your employer to ensure your state stops the claim in time. Employers should report the claim as fraud and follow-up with your employee so they can continue to monitor the situation.
- Consider freezing your credit and requesting a free credit report. You should request a free credit report to ensure there is no other fraudulent activity. While these claims are mostly tied to previous data breaches, also consider freezing your credit. This can prevent others from opening accounts in your name, and when you are ready to open a new account, you can unfreeze your credit.
- Keep notes and records of your fraud filing. Some states recommend filing a police report to ensure the incident is recorded. Keep these records in case you receive a 1099-G at the end of year and need to dispute the income – you are not responsible for the taxes on any money that was paid to the criminal.
How Can You Proactively Protect Yourself & Your Company From Hackers?
The sad reality is that if there is a full profile of your information on the dark web, you probably can’t prevent someone from filing a claim on your behalf. Your best bet is to be vigilant and proactive about cybersecurity. Here are a few simple tips to protect yourself and your organization from a myriad of attacks:
- Stay alert and safeguard your information. Before you respond to an email, letter or phone call, be suspicious. Don’t click on links – go directly to sites instead – and verify any requests for personal information with an out-of-band communication. Read our blogs on avoiding phishing and vishing for more suggestions.
- Use strong, long passwords or phrases. Don’t reuse your passwords on multiple sites and never share them with anyone. Many people reuse passwords because they can’t remember the 50+ different passwords we all need to use, so use a safe password manager to keep things simple. For more details on password safety, read our password tip sheet, then send it out to all employees. If you want to know how to develop the safest passwords or password requirements, read our blog on the data behind a safe password policy. We geek out with lots of math and share how our team can crack an 8-character password hash in 15 hours or less, but longer, stronger passwords could take us years.
- Use multi-factor authentication (MFA) when possible. While it’s not perfect, MFA is an important step to protect your information. We recommend avoiding SMS authentication if a stronger option such as Google Authenticator, Authy or Duo is available. These authenticators offer stronger security, such as codes that are generated on the device itself (meaning they do not need to be sent across the phone network, and therefore can’t be intercepted in transit). Read our MFA blog for more information.
- Upgrade your home Wifi & Smart phone security. With so many people working remotely, it’s time to upgrade your home network to protect yourself and your organization. Check out our Wifi security blog for a few simple tips almost anyone can do in one afternoon. Also, use the password or biometrics security features on your mobile phone – this will make it harder for attackers to leverage your data if your phone is lost or stolen. If your employees bring their own devices (BYOD) for work purposes, share our BYOD security tips document with your entire team.
Sadly, data breaches and identity theft are a modern world problem that is not going away any time soon. Using proactive protection strategies and being vigilant in limiting the distribution of your personal information can help. We hope you find these tips helpful. If your organization needs help crafting safe remote work, BYOD or network security polices, contact us and we can help.